Scaner-VS: Vulnerability Management solution for Russian Military

Scaner-VS is a Vulnerability Assessment system developed by Moscow-based NPO Echelon. It’s pretty popular in Russian government organizations, especially in Russian Army, because it comply all government requirements, has all necessary certificates and is relatively cheap.

As for requirements and certificates, NPO Echelon itself is an important certification authority, so they know how to do the things right. It’s not a secret product or something. You can request trial version freely at http://scaner-vs.ru/version-for-testing/. But note, that it is only available in Russian. I am also sorry, but screenshots in this post will be also in Russian. I will try to do my best to describe them properly.

When you fill the form on Echelon website, you will soon get a link to 3.3 gb .iso file by email. Run it in VirtualBox virtual machine (choose Debian 64 or Debian 32).

Here is a boot menu. Choose first default option.

Some seconds later you will see Linux desktop environment with Scaner-VS web-GUI opened in Firefox.

So, as you can see, Scaner-VS is a Linux distribution with preinstalled security audit tools and some web-gui or framework that combines them. Some of the tools are well-known open source projects, others were developed by Echelon. If you press on 0 at the upper left, you will open project window of the main Vulnerability Scanner. Icons in table-like menu at the rights launch different Echelon tools:

OpenVAS is under the hood of the main Vulnerability Scanner in Scaner-VS. It’s pretty obvious if you look on plugin group names in policy settings, like “Local Security Checks” and “IT-Grundschutz”, very typical for OpenVAS:

Scaner-VS Projects

Old versions of Scaner-VS used modified web-GUI by Greenbone. Now they have own GUI, that is actually pretty good.

The main idea of this Scaner-VS interface: users will work with the “Projects” – some spaces where you, you can make different kinds of scanning and and correlate the results. Very natural way to do Audits, by the way.

Let’s try to scan something, for example a CentOS host. I created a new project:

But, actually, I like it even more. For example, it doesn’t require you to fill the scan name if you don’t want to. It may generate the name from a target list and policy name. I chose Full Scan policy, set the IP in “Basic” tab, credentials in “Advanced” tab and launched the scan:

Scan is processing:

And some minutes later the scan is finished and we can see the report:

The report looks quite pretty. As you can see, there is no description for CESA vulnerabilities, cause it was probably too expensive to translate them all into Russian:

But more common plugins are translated in Russian completely:

This is how the scan dashboard looks after the scan is finished:

Well, there are some small problems, first element – “Target searching” sees some host in assets, but doesn’t show it as CentOS Linux host. However the OS was obviously detected, if we have CESA vulnerability in “Vulnerability scanning” results. Probably, it’s because Scaner-VS takes data only from nmap-based scanning.

When I scanned 192.168.56.102 with “Target searching”, I’ve got this:

Linux. Not CentOS, but still better than nothing =)

In conclusion

I am very glad for Scaner-VS and Echelon. The progress is visible, the product is much better than it was several years ago. Some people criticize vendors, who earn money selling products based on open source. I was never agree with them. GPL does not forbid selling software. And the product is not the software itself, but also marketing, support, training, infrastructure, and, of course, certifications. For end-user from government organization that means that he will use familiar security tools from Kali absolutely legitimately. Isn’t it great?

I am not even telling about the fact that significant part of software for Scanner-VS was developed in Echelon. And this part looks pretty good. The fact that they use OpenVAS under the hood is also great. It is much easier to modify than some proprietary solutions, adding some own nasl plugins. I only hope that they will move to fresh version of OpenVAS and OPM (GMP) protocol for managing it.

Meta

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.